Do you need to become PCI compliant? We'll help you complete the requirements. Qualys is certified to help merchants and their consultants achieve compliance with the PCI Data Security Standard (DSS) including the scan requirements:
1) Quarterly External Scan What's this?What's this?
Per PCI DSS requirement 11.2.2, the PCI Council requires merchants to perform quarterly external vulnerability scans via an Approved Scanning Vendor (ASV), approved by the PCI Security Standards Council (PCI SSC). Qualys is a certified ASV. Every part of cardholder data system components needs to be scanned.
2) Quarterly Internal Scan What's this?What's this?
Per PCI DSS requirement 11.2.1 and 11.2.3, the PCI Security Standards Council (PCI SSC) requires merchants to perform quarterly internal vulnerability scans and obtain a passing scan. Every part of cardholder data system components needs to be scanned. Per requirement 6.1, the PCI Council requires merchants to establish a process to identify and assign risk rankings for newly discovered security vulnerabilities, and to ensure all High ranking vulnerabilities are fixed.
Some things to consider... |
What systems should I scan?What systems should I scan? Hosts that store cardholder data must be scanned. Also every part of cardholder data system components must be scanned. We recommend you refer to the PCI Data Security Standard (DSS) for details. Check to see these hosts are in your account by going to Assets > Host Assets. |
Do I need to add Qualys scanners to my allow list?Do I need to add Qualys scanners to my allow list? Yes, our scanners must be able to reach the target hosts being scanned. Go to Help > About to see the IP addresses for external scanners that you'll need to add to your allow list. You'll also see a list of URLs that your scanner appliances must be able to contact for internal scanning. |
Problems can arise when scan traffic is routed through the firewall from the inside out, i.e. when the scanner appliance is sitting in the protected network area and scans a target which is located on the other side of the firewall. See Scanning and Firewalls. |
Quarterly External Scan |
Step 1: Run a ScanStep 1: Run a Scan Under VM/VMDR, go to Scans > New > Scan and: 1) select the IPs to scan, and 2) select a PCI option profile like "Payment Card Industry (PCI) Options". This profile has scan settings required according to the PCI DSS standard. Learn more about PCI Option Profiles |
Step 2: Fix Vulnerabilities and Re-ScanStep 2: Fix Vulnerabilities and Re-Scan Run the PCI Technical Report to see whether your scan is compliant. Go to Reports > Templates, hover over the "Payment Card Industry (PCI) Technical Report" and then select Run from the Quick Actions menu. Looking at your report you'll see the PCI compliance status (PASS or FAIL) for the overall report, for each host and each vulnerability detected. Vulnerabilities with the FAIL status must be fixed to pass the PCI compliance requirements. (Vulnerabilities with no PCI status are not required for compliance, however we do recommend you fix them in severity order.) After fixing vulnerabilities, be sure to re-scan to verify that all PCI vulnerabilities are fixed and the overall status is PASS. |
Step 3: Create Your Certification ReportStep 3: Create Your Certification Report 1) Select PCI from the application picker. Then add a link to a PCI Merchant account (new or existing). You'll use this account for creating your certification report. 2) Select VM from the application picker. Go to Scans, select your external PCI scan from the list, click Share with PCI (in the preview pane), and select the PCI account you've linked to. We'll share (import) the scan to your PCI account. (We'll add to your PCI account any scanned IPs not already in the account.) 3) Select PCI from the application picker. Log in to your PCI account. 4) Now you're ready to create your certification report within PCI. Go to Compliance > Compliance Status, click Generate (under Compliance Status > Actions) and use the report wizard to create your report and submit it to your acquiring banks. |
Quarterly Internal Scan |
Step 1: Organize Your HostsStep 1: Organize Your Hosts Go to Assets > Asset Groups and create groups that organize your IPs according to your custom PCI risk ranking. Each group will correspond to a risk ranking. Later, after you scan your IPs, you'll create scan reports to verify compliance against your risk ranking. |
Step 2: Run a ScanStep 2: Run a Scan Under VM/VMDR, go to Scans > New > Scan and: 1) select the asset groups you want to scan (created in the previous step), and 2) select a standard option profile like "Initial Options" or one that you've customized. The "Payment Card Industry (PCI) Options" is not recommended since this has settings tailored for an external PCI scan and it may increase your scan time significantly. |
Step 3: Create Your PCI Scan ReportStep 3: Create Your PCI Scan Report First create a PCI report template. Go to Reports > Templates and select New > PCI Scan Template. We use the vulnerability risk rankings High, Medium and Low. By default these are set to the same CVSS scores as required for ASV external PCI scans. Under PCI Risk Ranking you need to define a custom risk ranking scale by modifying the CVSS base score ranges for High, Medium and Low ranking vulnerabilities. Be sure to create a template for each ranking scale within your organization. Then you're ready to create one or more reports, depending on the number of templates you have. To create a report, go to Reports > Templates. Hover over your template, and select Run from the Quick Actions menu. |
Step 4: Fix Vulnerabilities and Re-ScanStep 4: Fix Vulnerabilities and Re-Scan Review your PCI scan reports. If there are any High ranking vulnerabilities they must be fixed. Be sure to re-scan and re-run your reports to confirm that all High ranking vulnerabilities are fixed. |